Why 1-Time Passcodes are a Corporate Liability
Phishing texts are showing exceptional success on stealing remote credentials and one-time passcodes from employees at several multinational technology companies and customer service firms. A series of SMS phishing attacks sent by a cybercriminal group have generated many breaches and disclosures from affected companies, which are now fighting against the same persistent threat: the capability of phishers to use mobile devices to interact directly with employees.
June 2022: Phishers used a wave of SMS phishing messages to target employees at staffing firms that offer customer support and outsourced services to numerous companies. The message asked users to click a link that would take them to a phishing page that replicated their employer’s Okta authentication website. After the users submit their credentials, they were also requested to provide their one-time password needed for multi-factor authentication.
The schemers behind the attacks created brand new domains with the name of the target company, then sent phishing messages urging employees to click on links to these domains so they could view a pending change in their work calendar.
The attackers’ websites leveraged a Telegram instant message bot to get any submitted information in real-time, allowing the scammers to have access to the victim’s username, password, and one-time code, and eventually use the phished information to log in as an employee at the real company’s website. However, security researchers were able to detect the information being sent by victims to the platform because of the way the Telegram bot was set up.
Security researchers at Singapore- based Group-IB were the first ones to report the information leak and named the campaign “0ktapus” for the scammers targeting companies using identity management tools from Okta.com.
According to Group-IB, “This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations. Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
It’s still unclear how many of these spam texts were sent out, however, KrebsOnSecurity reviewed the Telegram bot data and found that the phishing texts had generated nearly 10,000 replies over the course of two months of non-stop SMS phishing attacks, which targeted over one hundred companies.
Many replies came from those who were aware they were being phished, as evidence by the hundreds of aggressive responses that included offences targeting the schemers. Telegram bot data shows that the very first response was sent by such employee, who replied using the username “havefuninjail.”
Unfortunately, many employees still responded with what appeared to be their true credentials – most of them included one-time codes required for multi-factor authentication. In mid-July, the phishers decided to focus on attacking the giant internet infrastructure Cloudfare.com, and data shows that at least three employees fell for the phishing scam.
Early August: Cloudflare posted a blog saying they had everything under control and no Cloudflare systems were compromised since they had detected the account takeovers. According to Cloudflare, they had nothing to provide the schemers because they don’t use one-time passcodes as a second factor. However, they still wanted to drive attention towards the phishing attacks because these schemes would most likely work against many other companies.
Cloudflare’s CEO, Matthew Prince wrote, “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employee’s family members.”
On many different occasions, attackers targeted employees at Twilio.com, a San Francisco based organization that offers services for making and receiving text messages and phone calls. It is still not clear the number of Twilio employees who received the phishing text, but the data shows that at least four employees replied to the flood of SMS phishing attacks on July 27, August 2, and August 7.
Twilio announced that on August 4 it detected unauthorized access to information on a group of Twilio customer accounts through a very elaborate social engineering attack created to steal employee credentials.
“This broad-based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio wrote. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
The data mentioned by Twilio included private information on nearly 1,900 users of Signal, a secure messaging app, which uses Twilio’s phone number verification services. In its announcement of the breach, Signal mentioned that with their access to Twilio’s internal tools the phishers could re-register those employee’s phone numbers to another device.
Another company affected by the phishing attack was DoorDash, a food delivery service. On August 25, DoorDash announced that a breach on a third-party vendor allowed hackers to gain access to some of the company’s internal tools. DoorDash mentioned that the attackers only stole information on a limited number of users that had been already notified. TechCrunch confirmed that the incident at DoorDash was connected to the same phishing attacks that targeted Twilio.
This phishing group was very effective targeting employees at major mobile wireless providers, with their greatest success being T-Mobile. Between July 10 and July 16, many T-Mobile employees failed to recognize the phishing attack and provided their remote access credentials.
“Credential theft continues to be an ongoing issue in our industry as wireless providers are constantly battling bad actors that are focused on finding new ways to pursue illegal activities like this,” T-Mobile said. “Our tools and teams worked as designed to quickly identify and respond to this large-scale smishing attack earlier this year that targeted many companies. We continue to work to prevent these types of attacks and will continue to evolve and improve our approach.”
This same phishing gang got hundreds of replies from employees at some of the biggest customer support and staffing organizations such as Teleperformanceusa.com, Sitel.com and Sykes.com. Teleperformance did not respond to any requests to discuss the matter. KrebsOnSecurity was able to get a hold of Christopher Knauer, Global Chief Security Officer at Sitel Group, the major customer support organization that had recently acquired Sykes. Knauer mentioned that the schemers created newly registered domains and required their victims to approve upcoming changes to their work schedule.
Knauer also said the schemers created the phishing domains just minutes before sending spam links to those domains in fake SMS alerts to targeted employees. He said that this type of phishing attack avoided automated alerts generated by firms that monitor brand names for any indication of new phishing domains being registered.
“They were using the domains as soon as they became available,” Knauer said. “The alerting services don’t often let you know until 24 hours after a domain has been registered.”
On two different occasions, July 28 and August 7, numerous employees at Mailchimp, an email delivery firm, provided their remote credentials to this phishing gang. Mailchimp posted a blog on August 12 where they mentioned the attackers used their access to employee accounts to steal information from 214 customers associated with cryptocurrency and finance.
On August 15, DigitalOcean posted a blog saying it had cut ties with Mailchimp after its account with the platform was compromised. DigitalOcean disclosed that the attack on Mailchimp resulted in a very small group of DigitalOcean customers experiencing attempts to compromise their account through password reset.
According to interviews with several companies attacked by the gang, the scammers are focused on stealing access to cryptocurrency, and to companies that manage communications with people considering investing in cryptocurrency. On August 3, Klaviyo.com, an email and SMS marketing company, published a blog in which the company’s CEO described how the attackers downloaded information on 38 crypto-related accounts by gaining access to the company’s internal tools.
The universal use of mobile phones became a salvation for most companies trying to manage their employees during the Coronavirus pandemic. However, mobile devices are also becoming a liability for organizations that use them for different forms of multi-factor authentication, like one-time codes generated by a mobile app or delivered via text message.
Because of the success from this phishing gang, this type of data extraction is now being massively automated, and employee authentication tools can become a liability that can quickly lead to security and privacy risks for an employer’s partners or anyone in their supply chain.
Unfortunately, a great number of companies still use text messages as a form of multifactor authentication. According to this year’s report from Okta, 47% of workforce customers use text messages and voice factors for multi-factor authentication. Okta found that since 2008 this number went down by 5%.
Several companies just like Sitel are requiring that all employees with remote access to internal networks to use work-issued laptops and/or mobile devices, which are filled with custom profiles that can only be accessed through the company’s devices.
Other companies are choosing to take a different route by moving away from SMS and one-time code apps and towards requiring employees to use physical FIDO multi-factor authentication devices like security keys, which can be a step back for phishers because any stolen credentials can only be used if the attacker has physical access to the employee’s security key or mobile device.
Last year Twitter announced that it was requiring all employees to use security keys, and/or biometrics authentication via their mobile devices. Data from the attacker’s Telegram bot shows that on June 16, five Twitter employees gave away their work credentials. In an interview from KresOnSecurity, Twitter confirmed that many employees were relieved from their usernames and passwords, however, their requirements to use security keys prevented the attackers from abusing that information.
Twitter rushed its plan to make improvements on their employee authentication after a July 2020 security incident, where many employees fell for the phishing attack and were relieved of their credentials for Twitter’s internal tools. During that breach, the hackers used Twitter’s internal tools to take over accounts from some of the world’s most important public figures, executives, and celebrities – using those accounts to post links to bitcoin scams.
“Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” Twitter said. “To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.”
Abacode offers an exclusive MCCP Core™ Program which includes 24/7/365 “eyes on glass” MDR, threat hunting, compliance monitoring, cybersecurity awareness training managed services, and more, to keep our clients secure.
Contact us to learn more about how we can help prevent these attacks from happening to your business.